Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi validation
Alec Fenichel <alec.fenichel@transnexus.com> Mon, 25 October 2021 15:19 UTC
Return-Path: <alec.fenichel@transnexus.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36F803A0A6C for <stir@ietfa.amsl.com>; Mon, 25 Oct 2021 08:19:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, MIME_HTML_ONLY=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=transnexus.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2ff_Bo4HQyVy for <stir@ietfa.amsl.com>; Mon, 25 Oct 2021 08:18:57 -0700 (PDT)
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11on2088.outbound.protection.outlook.com [40.107.220.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C4A83A0A7D for <stir@ietf.org>; Mon, 25 Oct 2021 08:18:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LWhBNLCbY/83G5gzRGgX8+Iat9aJWzbvENS8qS8I/FPD5AO4H7ov1ZfQstv30lW17dK4kdkI3/8KOH549vu7RlMjaEp0XPNMlKpOV71bbD278vpO8cXHFHHPMLq+TZ9v9l1a5gVPUUoIKxvyAWirRQHcRIwD72xMpVp0AaCWzJHsjgoy//nEVD4azFfe4UFOlx6D9sL5ghyt9k7BL5qS7v6z0RtHKJM5WW/OTj1OrAXpJIWLbHPJ0G48t1r8hSiOy5dDcV3DZyXnwmk2Y95Tdu1kNcMq5UgLemxsdkh2AbqxeiCgF1MCEorqZhmBADNcgKsXS3/cmwOPoLVdBkmtgw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=IU1PFaqfCrOkUTntfm0+p52YYfo7REsYb3hiTgxr8K8=; b=ZTlfwg5Fh1Pfib40XQYvRSlpENetRlO2Pe8Zd8jvZ/QsAM9kgN6Bvt/vSe7YPellYRT8hUWJ7ucHytds9y8W4jcTTQJwX0AQaZv8R0/FqaCNit0RaKIcYIAzqcOfamR6wykDyKdNag6pw8OB3DMsiunNtE5xQIkYWSyFBUf7YZXmmNfuw7HsxXE4u7znul6kXryZCJw7lxlCqEMGSMnXapIWr6y0u4qfFpSIL4U6rCvR+MKwiUpS6hq3A1biFR9YbtNkd8YMBJBdkZUR41tlTflyahTqusWH9EEdoKLbLtDmVZVRS4arjAaRwEPnbp4iwmORJU/0kT1DYQNE5XnP5A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=transnexus.com; dmarc=pass action=none header.from=transnexus.com; dkim=pass header.d=transnexus.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transnexus.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IU1PFaqfCrOkUTntfm0+p52YYfo7REsYb3hiTgxr8K8=; b=FD7Nv+olKfBQ2KUvD8CMXGgNlhdZA+TQ92iPmBObtqJq5KNbRcw3Nwf3Ed0A+3iQB/O+7mBrX3J/MtR9F8uatqnFiKfDntOfd1GxEpXsApejQw0R3fmLqBxY/oHr+PmJUOz5nhvHHJzkANujxc+oXlEKn/cqKG8g0oQccfn/cmo=
Received: from BN6PR11MB3921.namprd11.prod.outlook.com (2603:10b6:405:81::20) by BN7PR11MB2817.namprd11.prod.outlook.com (2603:10b6:406:ac::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4628.15; Mon, 25 Oct 2021 15:18:45 +0000
Received: from BN6PR11MB3921.namprd11.prod.outlook.com ([fe80::91e7:43e2:7c72:a2e4]) by BN6PR11MB3921.namprd11.prod.outlook.com ([fe80::91e7:43e2:7c72:a2e4%5]) with mapi id 15.20.4628.020; Mon, 25 Oct 2021 15:18:45 +0000
From: Alec Fenichel <alec.fenichel@transnexus.com>
To: Ben Campbell <ben@nostrum.com>, Jack Rickard <jack.rickard=40microsoft.com@dmarc.ietf.org>
CC: IETF STIR Mail List <stir@ietf.org>, Russ Housley <housley@vigilsec.com>
Thread-Topic: [stir] draft-ietf-stir-passport-rcd-13 rcdi validation
Thread-Index: AdfFnr87c2vxVfrsRiOmBanuACp+5QEEwNAAAAAf/AA=
Date: Mon, 25 Oct 2021 15:18:45 +0000
Message-ID: <BN6PR11MB3921F8D627E293A0F80D088C99839@BN6PR11MB3921.namprd11.prod.outlook.com>
References: <AM5PR83MB035516622330F5CD32DF0B5588BE9@AM5PR83MB0355.EURPRD83.prod.outlook.com> <BB62785D-A43F-43FA-A61A-ABFF6FBF6043@nostrum.com>
In-Reply-To: <BB62785D-A43F-43FA-A61A-ABFF6FBF6043@nostrum.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: nostrum.com; dkim=none (message not signed) header.d=none; nostrum.com; dmarc=none action=none header.from=transnexus.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 35c738a8-26a0-4cba-16be-08d997cabc93
x-ms-traffictypediagnostic: BN7PR11MB2817:
x-microsoft-antispam-prvs: <BN7PR11MB28171EF144513A1749BDDAA999839@BN7PR11MB2817.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: +NLCopMhG7tcxsOcKIf4theP4ryj//2IgdpQN/BHlf3OznbXE/tx0R3vQeIPT23htZvh0+5zipHthn63ux6tE0as5QTv4VIuhurqRY9v5rt1qUk4YrB+LEI2OMMUlwiWVAAJ8cR0p26zT7mlcIL8rb4+RxTEuPWzDY/HsMZ40dLWH9icmAOzi2SzDzuVF+TQMncAEuE8f2fvE6JmrcCkpZf6b2Zcm+00PP4kCzs45ZthKlgh5L4sfHp2XelSOPBPnkSIqGOYXlxsmPpuxpGCb5H/7CFCZOfs8Tenq70KvkwnELT8rOImSN4qrWrQNl9+mumZTKyMSvG0iR4C6dke8xpWRqYBIvIMtD0PhS8O8O1erl1TpYXsAuxQi36Zbc8DUOSzWpzUsHf9JVh1rh2lrHjX7FdLN3NrLwJhOH8OG5GaqP2MjHD2/aEzLvOBUSm/ZT2eVz3xqAGMG9tTAuLDU0lE52aJ6/EYaT5HJajmdOyo3S54EgA1ZFn4I/FESWATsWLbeDO7arOcRbu1TpD+9KCb2SQlrmfYE8nIB1uTOJP07cFlr9F9dvfExjrURcZ2ogzPiFZD4ASaD/3RJRlByhf/AzsR9uF+HcK8ROD4Yd/20cR2ktc//oFH4IjoVPZ6VNLrvjM9JFuSs7XxlVVapbHM+cX2chE7OmYCjnzP2MJYHbCqPOtEi/MNrB0vY5LNpVYSvif8112/Nk1WYWxD30FntC2ef2puLAeORwP9azA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN6PR11MB3921.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(39830400003)(396003)(346002)(366004)(136003)(64756008)(33656002)(66556008)(66476007)(66946007)(4326008)(66446008)(76116006)(66574015)(52536014)(8676002)(9686003)(2906002)(122000001)(54906003)(8936002)(38100700002)(86362001)(110136005)(316002)(99936003)(71200400001)(26005)(45080400002)(83380400001)(966005)(508600001)(166002)(44832011)(38070700005)(40140700001)(53546011)(186003)(6506007)(5660300002)(7696005)(55016002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: j09TSVU1tSI91PLbalZ+/X7YVyuhORc5P5LM0jb/qByw9J8w4ZcsLyC4CLQD8F5L+5Ic5kFA3Q8AsmDDsTITxNxs/IAp4yQBUSqg+ODL0fuHSwpzUnuWBaiSx7faoTys4ektUvgXI7x9FXeFF2bFMbL6Ih1fzTwEBAqXkPCLlab1rQ5qRyZk5t9Ig/qsWnN+nsR/JCD/Cyq/I6xEDzEc1UPlMgk/C4DdzqMyEfHmy7f4TBcoazl78s5K7bahL8EgBmxRjMYfhcmEPJKRk0ppDMYUUTD9EdLJYY03+JcyyYllD3QBmtqOEv8TQut4w8Z5ReIfK+MfPZCoa55EmYe3ojqiyZCORW7QpBDGTRxnKVkHfyV7JQlBfOcXNE22oKqzVHP6CH2NokO9oM6N5wSRl2JeZDDofY7DldzqqcrEvV/p3c7hFYRHtQ1ZhP/j/90QbXsbbX769uIwTRe4DB9m0naeqz33YPCeivebdPMTM2xVB5idv4clumMg0p3fGkFrPcsSWpsQIdSeQARBGzxl9QrLDqPgfgfwM/b85s7DRDXfOJflPa3yPKlo27IjdqnlDyrqH8uDBL00zEOZ9cSUORnNXfTKFfPFob3kXGKySGOvM7Fwkx2HwAu40wqYC3CsbrLUq4iQi7kTbbim9rU2paGuUhbRmh3iS3kIYWaXEb9aSjw7Pup5qiQqkVLSJRFNWrcHK04ABAya3o5pJXMSVmJ6ZZ/1gjwoAWpWyfxXpnxqEzbBuHkLPOFItVMqkmXIHj11OUUVHV5HpTgHm8eJn7KEEN+lg2VSwdJTrQ8qOZf90pcFnKjlN2sPcICwBL/19xQKyXGLVwvnLnT8rzHcfTdSGyZ8CacovvZnEUeImCbeKtBo+ojNfXmVncWodetsbMbbsgLruy/lidHmiZTRO4mLsfH8q+p1PETuDuodWatY76Qot3ey45OmpvQcCu/9iYAoqtvB3XZn+4KK/avU6w9Wbad8Xsm0XV6FmPoc6oNkpgTrWX3Fu4DNyg/trOvnxjkd+t9zYEuRrYCKor0xmAGey4pH2Cq3HhaO5uL17Ez93J8dmmlVkFdfvvhXcpcqBSTMHL3ZSrvzif64YlSFquAaGnW8mkXPsrB0TUuwuJPwunnA+QgM4LvlhKHFeEDtIJBLPmZeh+1Po9cy5/kC/Ln2ZLy4eY5wPsc5FEAerFQ73D0gusZdwTKWhJWuytEPEkR578xQr2E172KY6o6KROpMSQl1fg5kd72PXD1KtGBu+VFG1qKss6VVvpk79/ptgYoyxMX1JrOARHG0GTciPGJlhi9klCEW0ZyjVRkjbQ7aNVdSqOuF1EqttwcV2II99VAdgw0d7bz7wfK1GNm1/6o5LpGX6gq1/KFeQiSx7aX+/krPnEq3RGmZRQOva4Zjj1zT6iW2Bo8x2P2qVGmGQ2h3zOzdbndDB/OW2wG8iFMUzPkzHbzvyZA1drxa1OzpyYXlXhHv58MKcjVMmaf02M4VdVDrlF5hu1SEdgR+qL5eKtbF7M+hxUGsLv45sxat4/7PY+AvWK2cKoOTvW3oAconJYtm7pBa5GsrVqbvyJaOx4vGShHrZwUpM+NQgSYNsk+aDauW3mP8mpeY09eOKn0hJP7tnfr6925vRBcJ6OpoRREXP7xyttA1g1ed5vR8eseOAUQYK29jqb91omfbgIhwmUrH9jnPLVNYKIDOkjI=
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha256"; boundary="_FF7FEE98-530A-2A4A-8377-48C62F81A7A3_"
MIME-Version: 1.0
X-OriginatorOrg: transnexus.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN6PR11MB3921.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 35c738a8-26a0-4cba-16be-08d997cabc93
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Oct 2021 15:18:45.1020 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8e2972a2-d21d-49ac-b005-18e8ceaadee3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: esI+5AwaNhI744yXC+7mJs2cCpxFdVm8U7ppFvSK0/zZI0+00IxvsfPQ7WgnUEo53jG/N0GqkWvMa+CcUVFVpNFO5PkZcF0UTXVKUzUC4WY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR11MB2817
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/kDB4Fmp06C4mpa79Z3b2k7jvycA>
Subject: Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi validation
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Oct 2021 15:19:02 -0000
Another way of putting it: the entity dereferencing the resource must verify that the resource matches the supplied integrity. The resource should not be dereferenced for the sake of verifying the integrity.
TransNexus
From: stir <stir-bounces@ietf.org> on behalf of Ben Campbell <ben@nostrum.com>
Date: Monday, October 25, 2021 at 11:07
To: Jack Rickard <jack.rickard=40microsoft.com@dmarc.ietf.org>
Cc: IETF STIR Mail List <stir@ietf.org>, Russ Housley <housley@vigilsec.com>
Subject: Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi validation
(as individual)
I think I agree with you in general. To paraphrase the conclusions:
The VS MUST verify the passport signature and the claim constraints. That verifies that the claim values are correct has signed by the AS, for example that the value in the rcdi is the correct value. Any party that uses RCD claims that are covered by an rcdi hash MUST verify that hash before trusting that content. Other parties MAY verify it according to local policy.
Does that match your thoughts?
On Oct 20, 2021, at 6:37 AM, Jack Rickard <jack.rickard=40microsoft.com@dmarc.ietf.org> wrote:
Hi all,
To clarify things, and hopefully reduce the number of rounds of review, this is a write-up of my position (and hopefully some alternative positions) on rcdi validation.
rcdi is a mechanism to ensure the integrity of the rcd information, and so any entity that retrieves/uses the rcd information clearly must validate that information against the rcdi digests, otherwise it could not trust what it had downloaded.
However, any verification service that does not need to retrieve the RCD information, cannot and possibly should not always retrieve and validate it, for a few reasons:
- There isn’t enough time – downloading and validating all the data (or in fact any data) takes a prohibitively long time, especially as an intermediate verification service does not know which bits of data are going to be used.
- The data could change – even if an intermediate does perform the validation, the end entity must repeat this as the information it retrieves could very well be different to what the intermediate validated.
- There was discussion in the meeting of a TSP that rehosted the RCD information, in that case it is the end entity in this discussion and realistically needs its own integrity mechanism on what it has rehosted.
- An intermediate could reject something that the end entity would accept – downloading information from the internet is not perfectly reliable, there could be firewall issues, or just temporary server issues that cause an intermediate validator to not be able to get the RCD information, in which case it would fail to validate the passport and throw out all the rcd information (and potentially all the STIR information). An end entity does not have to do this, it might be able to retrieve items the intermediate cannot, it might not want all the information in the first place, and in the worst case it can gracefully degrade the rcd information it cannot access.
Taking all of that, I believe that the rcd and rcdi information should be treated as “valid” in the context of PASSporT verification if the data in the PASSporT is correct (this would include checking JWTClaimConstraints), but not depend on any of the referenced information’s integrity.
There is a question there about “/rcd”,”/nam”, and “/apn” digests, for the sake of simplicity I’d suggest they also aren’t required to be checked by the verifier, but I don’t believe it matters.
There are some issues with this approach though:
- Security is more complicated – this split validation model introduces extra complexity to the security of RCD information in PASSporTs. As far as I can tell, this wouldn’t introduce any new attack vectors, but does place a greater burden on the end entity doing things correctly.
- This introduces a new entity – I don’t believe any previous documents have made a distinction between the end entity and verification services, just focusing on authentication services and verification services. This introduces actions that this end entity must perform for the system to conform to the standard.
Those issues are not enough to change my mind; however, I welcome different opinions and there are almost certainly more I haven’t thought of or weren’t discussed.
Thanks,
Jack Rickard
he/him
Software Engineer
jack.rickard@microsoft.com
<Picture (Device Independent Bitmap) 1.jpg>
_______________________________________________
stir mailing list
stir@ietf.org
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fstir&data=04%7C01%7Calec.fenichel%40transnexus.com%7Cc75f2eee71a3477ba01308d997c8f257%7C8e2972a2d21d49acb00518e8ceaadee3%7C0%7C0%7C637707712701186409%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=ISULkaJwE5Yt92sOzLCeDfX5B%2B67XKsVQKjM6rD0ces%3D&reserved=0" rel="nofollow">https://www.ietf.org/mailman/listinfo/stir
- [stir] draft-ietf-stir-passport-rcd-13 rcdi valid… Jack Rickard
- Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi v… Jack Rickard
- Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi v… Alec Fenichel
- Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi v… Ben Campbell
- Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi v… Alec Fenichel
- Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi v… Ben Campbell
- Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi v… Alec Fenichel
- Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi v… Ben Campbell
- Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi v… Alec Fenichel
- Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi v… Jack Rickard
- Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi v… Jack Rickard
- Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi v… Chris Wendt
- Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi v… Alec Fenichel
- Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi v… Chris Wendt
- Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi v… Ben Campbell
- Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi v… Alec Fenichel
- Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi v… Jack Rickard
- Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi v… Jack Rickard
- Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi v… Alec Fenichel
- Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi v… Ben Campbell
- Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi v… Jack Rickard
- Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi v… Alec Fenichel
- Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi v… Chris Wendt
- Re: [stir] draft-ietf-stir-passport-rcd-13 rcdi v… Ben Campbell